DiscordStatus
Guias / Guides

How to Test Critical Actions

Some platform operations require an additional security validation called a critical action token.

This mechanism exists to reduce operational risks and prevent sensitive operations from being executed without an additional user confirmation.

In the Sandbox environment, it is possible to validate this flow using a default token made available exclusively for homologation.

When to use

Testing critical actions is recommended for integrations that need to homologate operations protected by additional security validations.

This scenario is commonly used when validating flows related to:

  • transfers;
  • withdrawals;
  • sensitive financial transactions;
  • operations protected by anti-fraud mechanisms.

Token used in Sandbox

For tests performed in the Sandbox environment, use the following value:

000000

This token can be used whenever an operation requires critical action validation during homologation.

📘

Important

The token above is intended exclusively for the Sandbox environment and is not valid in production.

How the flow works

When a protected operation requires critical action validation, the integration must provide the requested token together with the request.

Simplified flow:

Start operation
        ↓
Critical action validation
        ↓
Send token
        ↓
Process operation
        ↓
Receive result

The way the token is sent depends on the operation being used and the specific implementation of the corresponding endpoint.

Homologation example

A typical validation follows the flow below:

Create transfer
        ↓
Provide token
000000
        ↓
Execute operation
        ↓
Receive confirmation

This process allows you to validate your application's behavior when handling protected operations before using it in production.

Expected behavior

During Sandbox testing:

  • the 000000 token is accepted for homologation;
  • no real security validation is executed;
  • the flow can be tested without requiring additional user interaction;
  • the operation remains subject to all other API validations.

If the request does not meet the operation requirements, other errors may still be returned normally.

Disabling the token in Sandbox

If necessary, the critical action token can be disabled for transfer tests in the Sandbox environment.

This configuration exists exclusively to facilitate specific homologation processes.

⚠️

Attention

The critical action token is a security mechanism.

Disabling it reduces protection against unauthorized operations and does not represent the recommended behavior for production.

To request the token to be disabled in Sandbox, contact the Integration Success team:

Get in touch

Best practices

📘

Recommended

  • Homologate flows using the token before requesting its disablement.
  • Maintain additional validation mechanisms in your application whenever applicable.
  • Restrict sensitive operations by IP whenever possible.
  • Monitor financial operations through your application's auditing mechanisms.
  • Consider using additional validations for high-risk financial transactions.

Additional security

To increase the security of financial operations, it is also possible to use complementary mechanisms such as:

  • IP restrictions;
  • suspicious activity monitoring;
  • withdrawal validation via Webhook;
  • internal approval controls.

These features help reduce operational risks and increase integration security.

Related content

  • Transfers.
  • How to configure your Sandbox account.
  • Withdrawal validation via Webhook.
  • API security.
  • Get in touch.